b'           OFFICE OF\n\n    THE INSPECTOR GENERAL\n\n\n\nSOCIAL SECURITY ADMINISTRATION\n\n\nPERFORMANCE MEASURE REVIEW:\n\n RELIABILITY OF THE DATA USED\n\n       TO MEASURE THE\n\n  POSTING OF EARNINGS ITEMS\n\n\n    MARCH 2000   A-02-99-01008\n\n\n\n\nAUDIT REPORT\n\n\x0c                             Office of the Inspector General\n\nMarch 21, 2000\n\nWilliam A. Halter\nDeputy Commissioner\n of Social Security\n\nInspector General\n\n\nPerformance Measure Review: Reliability of the Data Used to Measure the Posting of\nEarnings Items (A-02-99-01008)\n\n\nTo fulfill the responsibilities of our workplan related to performance measurement, we\ncontracted PricewaterhouseCoopers (PwC) to evaluate nine of the Social Security\nAdministration\xe2\x80\x99s (SSA) Fiscal Year 1999 performance indicators that were established\nby SSA to comply with the Government Performance and Results Act.\n\nAttached is a copy of the final report on one of the performance indicators reviewed.\nThe objective of this review was to assess the reliability of the data used to measure\nperformance of the posting of earnings process.\n\nIn addition to releasing individual reports on the performance indicators reviewed, PwC\nreleased a summary report on all of the indicators reviewed. SSA commented on the\nsummary report, Performance Measure Review: Summary of PricewaterhouseCoopers\xe2\x80\x99,\nLLP Review of the Social Security Administration\'s Performance Data (A-02-00-20024).\nAgency comments to the summary report were provided to us on January 28, 2000.\nThe comments related to the subject of this report are included in Appendix C. PwC\nreformatted the Agency comments to align them with the firm\'s recommendations\npresented in the final report. Nonetheless, SSA\'s comments were not changed during\nthe reformatting process.\n\nYou do not need to respond to this report, since you are responding to the same\ncomments attached to PwC\xe2\x80\x99s summary report. If you wish to discuss the final report,\nplease call me or have your staff contact Steven L. Schaeffer, Assistant Inspector\nGeneral for Audit, at 410-965-9700.\n\n\n\n                                                James G. Huse, Jr.\n\nAttachment\n\x0cEvaluation of Selected Performance\n\nMeasures of the Social Security\n\nAdministration:\n\nReliability of the Data Used to\n\nMeasure the Posting of Earnings Items\n\n\nOffice of the Inspector General\nSocial Security Administration\n\n\nAgency comments to this report were provided to us on January 28, 2000. Many of the\nrecommendations made in this report are also found in earlier financial statement audit\nreports. In Appendix C, the Agency notes in its comments, \xe2\x80\x9cSince we are already taking\ncorrective actions for those that we accepted as valid, we will not be addressing the\nduplicate recommendations in this response.\xe2\x80\x9d\n\nFor the reader to be fully aware of SSA\xe2\x80\x99s comments that were made to each of the duplicate\nrecommendations found in this present report, we incorporated those Agency comments, that\nwere made contemporaneous to the earlier audit report recommendations, as part of the\nAgency comments located at Appendix C of this report.\n\n\n\n\nA-02-99-01008                                                  February 18, 2000\n\x0c                         Table of Contents\n\n\nPerformance Measures Evaluation\n\n Introduction                                    1\n\n Results of Engagement                           2\n\n Other Matters                                   11\n\nAppendix A: Background                           A1\n\nAppendix B: Scope and Methodology                B1\n\nAppendix C: Agency Comments and PwC Response     C1\n\nAppendix D: Performance Measure Summary Sheets   D1\n\nAppendix E: Performance Measure Process Maps     E1\n\x0cINTRODUCTION\n\nThe Government Performance and Results Act (GPRA), Public Law Number 103-62,\n107 Statute 285 (1993), requires the Social Security Administration (SSA) to develop\nperformance indicators for fiscal year (FY) 1999 that assess the relevant service levels\nand outcomes of each program\'s activity. GPRA also calls for a description of the\nmeans employed to verify and validate the measured values used to report on program\nperformance. SSA has stated that the Office of the Inspector General (OIG) plays a\nvital role in evaluating the data used to measure performance. The OIG contracted\nPricewaterhouseCoopers (PwC) to evaluate the following GPRA performance\nindicator(s):\n\n1.\t Percent of Old Age and Survivors\' Insurance (OASI) claims processed by the\n    time the first regular payment is due, or within 14 days from effective filing\n    date, if later\n2. OASI claims processed\n3.\t Percent of initial Supplemental Security Income (SSI) aged claims processed\n    within 14 days of filing\n4. SSI aged claims processed\n5. Representative Payee Actions\n6. Social Security Number (SSN) requests processed\n7. Annual earnings items\n8. Percent of earnings posted to individuals\xe2\x80\x99 records by September 30\n9.\t Percentage of individuals issued SSA-Initiated Personal Earnings and Benefit\n    Estimate Statements (SIPEBES) as required by law\n\nTo evaluate the nine SSA performance indicators established by SSA to comply with\nGPRA, PwC was contracted to:\n\n\xe2\x80\xa2\t Gain an understanding and document the current FY 1999 system sources from\n   which data is collected to report on the specified performance measures;\n\xe2\x80\xa2\t Identify and test critical controls (both electronic data processing (EDP) and manual)\n   of current FY 1999 systems from which the specified performance data is generated;\n\xe2\x80\xa2\t Test the accuracy of the underlying FY 1998 data for each of the specified\n   performance measures;\n\xe2\x80\xa2 Recalculate each specific FY 1998 measure to ascertain its mathematical accuracy;\n\xe2\x80\xa2\t Evaluate the impact of any relevant findings from prior and current audits with\n   respect to SSA\'s ability to meet performance measure objectives; and\n\xe2\x80\xa2\t Identify findings relative to the above procedures and make suggestions for\n   improvement.\n\nThis is one of six separate stand-alone reports, corresponding to the following SSA\nprocess, performance measures (PM), and Contract Identification Number (CIN):\n\n\xe2\x80\xa2   Posting of Annual Earning Items (PM #7 and #8)    A-02-99-01008\n\n\n\n                                          1\n\n\x0cThis report reflects our understanding and evaluation of the posting of annual earning\nitems process. The report is organized in the following manner. The next section titled\n"Results of Engagement" identifies our findings and explains their relevance to SSA\nperformance measurement. It also provides recommendations and suggestions for\nimprovement. All other information is contained in the appendices, as follows:\n\nAPPENDIX A \xe2\x80\x93 Background\nAPPENDIX B \xe2\x80\x93 Scope and Methodology\nAPPENDIX C \xe2\x80\x93 Agency Comments\nAPPENDIX D \xe2\x80\x93 Performance Measure Summary Sheets\nAPPENDIX E \xe2\x80\x93 Performance Measure Process Maps\n\n\nRESULTS OF ENGAGEMENT\n\nDuring the period of June 9, 1999 to October 1, 1999, we evaluated the current\nprocesses, systems and controls, which support the FY 1999 performance measure\nprocess. In addition, we determined the accuracy of the underlying performance\nmeasure data. Since FY 1999 data were not always available, we often used FY 1998\ndata to perform our testing. Although SSA was not required to comply with GPRA until\nFY 1999, they voluntarily reported results in the FY 1998 Accountability Report for\nPosting of Annual Earnings Items. As a result, we were able to use our knowledge of\ncurrent processes, systems, and controls to judge the accuracy of the performance\nmeasures based on the FY 1998 results.\n\nOur evaluation allowed us to determine that the reported FY 1998 results of the two\nperformance measures tested (as itemized below) were reasonably stated.\n\n   Performance Measure                                         Reported Result\n   7. Annual earnings items                                       266,011,984\n\n   8.\t Percent of earnings posted to individuals\xe2\x80\x99 records by\n       September 30                                                     97.7%\n\n\nHowever, we did note the following eight opportunities for improvement, listed in order\nof their relative importance:\n\n1.\t SSA lacks sufficient performance measure process documentation and did not retain\n    documents to support the FY 1998 amounts\n2. SSA has a number of data integrity deficiencies\n3. SSA\'s system environment has security deficiencies\n4.\t GPRA documents prepared for external evaluation of SSA performance do not\n    clearly indicate the sources of the performance measures\n5. SSA did not calculate the performance measure as it is defined\n\n\n                                          2\n\n\x0c6.\t The Cost Analysis System (CAS) procedural and systems documentation have not\n    been updated\n7. SSA has systems design and documentation deficiencies\n8. SSA has a number of deficiencies in their systems contingency plan\n\nAdditionally, we evaluated the appropriateness of the nine performance measures with\nrespect to the future requirements of GPRA. As a result, we noted three areas in which\nSSA could better prepare itself to incorporate the final phases of GPRA in their\nprocesses. These results are discussed below in the Other Matters section.\n\nThese items were noted as a result of our testing the underlying performance measure\ndata, as well as the EDP and manual controls of the systems generating the\nperformance measure data, and are discussed in detail below.\n\nThroughout our evaluation of the performance measures, we noted the strong\ncommitment of SSA\'s staff to correctly implement GPRA.\n\n\n1.\t   SSA lacks sufficient performance measure process documentation and did\n      not retain documents to support the FY 1998 amounts\n\nGPRA requires that agencies "describe the means to be used to verify and validate\nmeasured values." Furthermore, the Office of Management and Budget (OMB) Circular\nNo. A-123, Internal Control Systems, requires that "documentation for transactions,\nmanagement controls, and other significant events must be clear and readily available\nfor examination." Finally, National Institute of Standards and Technology (NIST) Special\nPublication 800-18, 5.MA.7, requires that system documentation be maintained as part\nof a formalized security and operational procedures record. Therefore, agencies must\nestablish a clear methodology for verifying performance measure values, and retain the\nappropriate documentation to enable an audit of their performance measure values\nbased on the methodology. Although this requirement was not effective for the FY 1998\nAccountability Report, it is effective beginning in FY1999.\n\nWhile general policies and procedures exist for all documents produced at SSA (as\nfound in the SSA Administrative Instructions Manual System/Operational and\nAdministrative Record Schedules), SSA does not have formal policies and procedures\nin place regarding the retention of performance measure documentation. During\ntesting, we noted that SSA lacked sufficient documentation regarding the processes\nsurrounding the accumulation and generation of performance indicator data.\nFurthermore, SSA could not consistently provide the documentation necessary to verify\ntheir performance measure values as reported in their FY 1998 Accountability Report.\n\nSpecifically, we noted that SSA was unable to provide a comprehensive process map\ndocumenting the flow of performance measure data from the receipt of tax data, through\nthe Earnings Record Maintenance System (ERMS, the system of record), to the\naccumulation of yearly performance measure data in the CAS.\n\n\n\n                                         3\n\n\x0cIf SSA does not establish a methodology for verifying performance measure values and\ninstitute an adequate document retention system, they will not be in compliance with\nGPRA. Furthermore, a significant lack of documentation does not provide a proper\naudit trail to facilitate verification of the performance measures as required by GPRA.\n\nRecommendations:\nWe recommend that SSA expand the role of Office of Strategic Management (OSM)\nwith respect to performance measures, or place ownership for the performance\nmeasure process and reporting within an organizational unit. In either case, data\nownership would still remain with the user organizations. However, an organizational\nunit should be accountable for the overall performance measure processes and results.\nTheir charter should include the following responsibilities:\n\n\xe2\x80\xa2\t Identify and document the processes surrounding the generation and accumulation\n   of performance measure values. This would establish a clear method for verifying\n   and validating the performance measures\n\n\xe2\x80\xa2\t Establish policies and procedures surrounding the retention of performance measure\n   documentation. The documentation retained should allow for the timely verification\n   of the performance measure values, and should be maintained for at least one year\n\n\xe2\x80\xa2\t As new systems are developed, evaluate their potential impact on the accumulation\n   of performance measure data. Systems with potential impact should be designed to\n   include the means of producing a verifiable audit trail to validate the performance\n   measure results as they are defined in the Accountability Report\n\n\n2.    SSA has a number of data integrity deficiencies\n\nOMB Circular No. A-127, Financial Management Systems, requires that a Federal\nAgency\'s systems include a system of internal controls to ensure that the data used to\nproduce reports is reliable. During our FY 1999 Financial Audit, we noted a number of\ndata integrity deficiencies that result in a lack of control over both the input and\nmaintenance of data, as well as the resolution of suspense items. While an adverse\neffect upon performance measure data was not observed during our testing, this lack of\ncontrol can affect the validity and completeness of the performance measures.\nSpecifically, we noted that SSA needs to address ERMS suspense file and\nreconciliation issues by expediting the approval and implementation of its established\ntactical plan. Earnings items left unreconciled or in suspense could be posted to\nindividuals\' accounts if the appropriate actions are taken, thus including them in the\nannual count. By not addressing these issues, SSA may be understating the number of\nearnings items able to be posted in the annual count, affecting performance measures\n#7 and #8\n\n\n\n\n                                         4\n\n\x0cRecommendations:\nAs previously stated in the FY 1999 Accountability Report, we recommend that SSA\nexplore ways to expedite its efforts in approving and implementing the established\ntactical plan addressing the suspense file and reconciliation issues (ERMS)\n\n\n3.       SSA\'s system environment has security deficiencies\n\nWe noted in our FY 1999 Financial Audit that SSA\xe2\x80\x99s systems environment remains\nthreatened by weaknesses in several components of its information protection internal\ncontrol structure. Because disclosure of detailed information about these weaknesses\nmight further compromise controls, we are providing no further details here. Instead,\nthe specifics are presented in a separate, limited-distribution management letter, dated\nNovember 18, 1999. The general areas where weaknesses were noted are:\n\n\xe2\x80\xa2\t The entity-wide security program and associated weaknesses in developing,\n   implementing and monitoring local area network (LAN) and distributed systems\n   security;\n\n\xe2\x80\xa2    SSA\xe2\x80\x99s mainframe computer security and operating system configuration;\n\n\xe2\x80\xa2    Physical access controls at non-headquarter locations; and\n\n\xe2\x80\xa2\t Certification and accreditation of certain general support and major application\n   systems.\n\n\nUntil corrected, these weaknesses will continue to increase the risks of unauthorized\naccess to, and modification or disclosure of, sensitive SSA information. While these\nweaknesses do not directly affect the performance measures, a risk still exists.\nUnauthorized access to sensitive data can result in the loss of data associated with\nSSA\xe2\x80\x99s enumeration, earnings, retirement, and disability processes and programs, thus\naffecting all performance measures.\n\nRecommendations:\nAs previously reported in the FY 1999 Accountability Report, we recommend that SSA\naccelerate and build on its progress to enhance information protection by further\nstrengthening its entity-wide security as it relates to implementation of physical and\ntechnical computer security mechanisms and controls throughout the organization. In\ngeneral, we recommend that SSA:\n\n\xe2\x80\xa2    Reevaluate its overall organization-wide security architecture;\n\n\xe2\x80\xa2\t Reassess the security roles and responsibilities throughout the organization\xe2\x80\x99s central\n   and regional office components;\n\n\n\n                                            5\n\n\x0c\xe2\x80\xa2\t Assure that the appropriate level of trained resources are in place to develop,\n   implement and monitor the SSA security program;\n\n\xe2\x80\xa2\t Enhance and institutionalize an entity-wide security program that facilitates\n   strengthening of LAN and distributed systems\xe2\x80\x99 security;\n\n\xe2\x80\xa2     Review and certify system access for all users;\n\n\xe2\x80\xa2\t Enhance procedures for removing system access when employees are transferred or\n   leave the agency;\n\n\xe2\x80\xa2     Decrease vulnerabilities in the mainframe operating system configuration;\n\n\xe2\x80\xa2     Implement the mainframe monitoring process;\n\n\xe2\x80\xa2     Finalize accreditation and certification of systems;\n\n\xe2\x80\xa2\t Develop and implement an ongoing entity-wide information security compliance\n   program; and\n\n\xe2\x80\xa2     Strengthen physical access controls at non-headquarters sites.\n\nMore specific recommendations are included in a separate, limited-distribution\nmanagement letter, dated November 18, 1999.\n\n\n4.\t      GPRA documents prepared for external evaluation of SSA performance\n         could better document the sources of the performance measures\n\nSince FY 1999, OMB Circular A-11, Preparation and Submission of Strategic Plans,\nAnnual Performance Plans, and Annual Program Performance Reports, states that "the\nannual plan must include an identification of the means the agency will use to verify and\nvalidate the measured performance values." This suggests that an agency should detail\nthe source of performance data SSA\'s documents prepared for external reporting,\nincluding the 1997-2002 Strategic Plan, the FY 2000 Annual Performance Plan, and the\nFY 1998 Annual Accountability Report, could better document the SSA sources used to\nobtain the performance measures we evaluated.\n\nIn the case of three performance measures, the FY 2000 Annual Performance Plan, the\nmost recent document at the time of this audit, does list a data source for Performance\nMeasure #1 as "The End-of-Line Processing Report," a data source for Performance\nMeasure #3 as "The Title XVI Processing Time System," and a data source for\nPerformance Measure #8 as the "Earnings Posted Overall Cross Total/Year to Date\nSystem (EPOXY)." However, the external stakeholder is not told of the origin of these\ndocuments or of the underlying processes and programmatic systems that produce the\n\n\n\n                                               6\n\n\x0creported metrics. Furthermore, the sources of the other six measures are not clearly\nindicated.\n\nAll nine metrics are referred to in the SSA documentation as GPRA indicators. As a\nresult, OMB Circular A-11, Section 220.12, requires that they be documented. By\nimproving the description of the sources, SSA would enhance the credibility of the\nunderlying data used to formulate each performance measure.\n\n\nRecommendation:\nWe recommend that SSA develop clear and concise descriptions of each performance\nmeasure\'s source. As specifically recommended by OMB Circular A-11, these\ndescriptions should include:\n\n\xe2\x80\xa2\t The current existence of relevant baseline data, including the time-span covered by\n   trend data;\n\xe2\x80\xa2 The expected use of existing agency systems in the collection and reporting of data;\n\xe2\x80\xa2 The source of the measured data;\n\xe2\x80\xa2\t Any expected reliance on an external source(s) for data, and identification of the\n   source(s); and\n\xe2\x80\xa2\t Any changes or improvements being made to existing data collection and reporting\n   systems or processes to modify, improve, or expand their capability.\n\n\n5.    SSA did not calculate the performance measure as it is defined\n\n\nGPRA requires Federal agencies to "establish performance goals to define the level of\nperformance to be achieved,\xe2\x80\xa6to express such goals in an objective, quantifiable, and\nmeasurable form,\xe2\x80\xa6(and to) describe the means to be used to verify and validate\nmeasured values." Agencies must clearly define the components of each performance\nmeasure so that it reflects the intent of the established goal, and so that the\nperformance measures can be validated.\n\nSSA defines the measure as the number of individuals\' earnings items posted from the\nbeginning of the tax year (TY) through September 30 of the TY, divided by the\nestimated total posted annual earnings for the entire TY (Per SSA, the actual number of\nannual earnings posted is used in the calculation in subsequent annual Accountability\nReports). However, we determined that SSA calculates the performance measure as\nthe number of individuals\' earnings items posted, less self-employment earnings items\nposted, from the beginning of the tax year (TY) through September 30 of the TY, divided\nby the estimated total posted annual earnings, less self-employment earnings items\nposted, for the entire TY.\n\nIndividuals send their self-employed earnings data to the Internal Revenue Service\n(IRS), where it is electronically processed, and then forwarded to SSA. As the self-\n\n\n\n                                          7\n\n\x0cemployed earnings data is processed outside of SSA, it is not included in their entire TY\ncount (PM#7), which is a workload count of the total number of earnings items. All other\nearnings data is received directly by SSA and electronically processed. However, the\nobjective of performance measure #8 is to measure the timeliness in posting earnings\ndata to individuals\' records.\n\nThis condition was reported upon in the OIG\xe2\x80\x99s Performance Measure Review: Survey of\nthe Social Security Administration\'s (SSA) Performance Measurement Data (CIN: A-02-\n98-01004), which recommended that SSA either include the self-employment earnings\nin their entire TY count, or disclose their absence. Furthermore, SSA management has\nstated that they have addressed this issue in their draft fiscal year 2000 performance\nplan.\n\nRecommendations:\nAs previously recommended in the OIG report entitled, "Performance Measurement\nReview: Survey of the Sources of the Social Security Administration\'s Performance\nMeasurement Data" (A-02-98-01004) (issued in final on November 22, 1999), we\nrecommend that SSA include the self-employment earnings in their calculation of\nperformance measure #8. This calculation would more accurately reflect the objective\nof the measure. If this is not feasible, we recommend that SSA clarify the definition\ngiven for the performance measurement to include language stating that the total\nnumber of annual earnings items posted is reduced by the number of self-employment\nwages processed by the IRS. In addition, we recommend that SSA include a footnote\nin its Accountability Report to indicate that the percent of annual earnings posted by\nSeptember 30th performance measurement is calculated on total annual earnings items\nposted less self-employment wages processed by the IRS.\n\n\n6.    CAS procedural and systems documentation has not been updated\n\nOMB Circular A-127, Financial Management Systems, requires that all system\n"documentation (software, system, operations, user manuals, operating procedures,\netc.) shall be kept up- to-date" and that "system user documentation shall be in\nsufficient detail to permit a person, knowledgeable of the agency\'s programs and of\nsystems generally, to obtain a comprehensive understanding of the entire operation of\neach system. Technical systems documentation such as requirements documents,\nsystems specifications and operating instructions shall be adequate to enable technical\npersonnel to operate the system in an effective and efficient manner."\n\nDuring our FY 1999 Financial Audit testing, we noted that the procedural and systems\ndocumentation for CAS was not current, with the last update occurring in FY 1995.\nSince this last update, two major changes have occurred: (1) a reorganization that\ncombined functions of the former Cost Analysis Branch and the former Budget Systems\nBranch into the Division of Cost Analysis (DCA), and (2) migration of CAS to the\nNational Computer Center mainframe computer system. Thus, out-of-date\ndocumentation could result in a situation where new and/or existing DCA employees do\n\n\n\n                                          8\n\n\x0cnot have adequate reference material to assist them in the timely and successful\ncompletion of their job tasks/responsibilities. If SSA does not use CAS successfully, all\nperformance measure indicators accumulated using CAS (including #7 and #8) could be\naffected. Data relating to the relevant performance measures may not be accumulated\ncorrectly or completely. It should be noted that SSA is in the process of replacing CAS\npiecemeal. As segments are replaced, SSA has obtained current system\ndocumentation (but not procedural documentation).\n\nRecommendation:\nWe recommend that DCA explore alternatives for acquiring the resources needed to\nupdate the existing CAS procedural and systems documentation, and to obtain\nprocedural documentation for the replacement systems.\n\n\n7.     SSA has systems design and documentation deficiencies\n\nDuring our FY99 Financial Audit testing, we noted specific systems design and\ndocumentation deficiencies that indicate a lack of control over both the system design\nand documentation. While these deficiencies do not have a direct effect on the\nperformance measures, a risk still exists. This lack of control affects the ability of SSA\nto effectively design, implement, and use their computer systems. If SSA is not\neffectively using their computer systems to accumulate and calculate performance\nmeasures, the resulting performance measure amounts could be affected. Our specific\nfindings were:\n\n\xe2\x80\xa2\t Full documentation of program changes evidencing user approval and testing was\n   not always maintained. In addition, user initiation of changes to production\n   programs could not be confirmed due to the absence of documentation indicating\n   who initiated the changes;\n\n\xe2\x80\xa2\t SSA\'s Software Engineering Technology (SET) did not establish different\n   requirements for major development projects, routine maintenance, and cyclical\n   changes; and\n\n\xe2\x80\xa2\t SSA\xe2\x80\x99s System Security Handbook (Chapter 10 on Systems Access Security) does\n   not list all of the acceptable forms for granting access to SSA\xe2\x80\x99s computerized\n   systems and data.\n\nRecommendations:\nAs previously stated in the FY 1999 Accountability Report, we recommend the following:\n\n\xe2\x80\xa2\t SSA should complete implementation of it\'s Validation Transaction Tracking System\n   (VTTS) and continue with its plan to automate the process for submitting System\n   Release Certification (SRC) forms\n\n\n\n\n                                           9\n\n\x0c\xe2\x80\xa2\t SSA should complete implementation of Platinum\'s Process Engineering Tool (PET)\n   and institutionalize Carnegie Mellon\'s Software Engineering Institute\'s Capability\n   Maturity Model (CMM) methodology\n\n\xe2\x80\xa2\t SSA should update its System Security Handbook (Chapter 10 on Systems Access\n   Security) to address all of the acceptable forms for granting access to SSA\xe2\x80\x99s\n   computer systems and data\n\n\n8.      SSA has a number of deficiencies in their systems contingency plan\n\nAs a result of the FY 1999 SSA financial audit, we noted a number of deficiencies\nwhich, in our view, would impair SSA\xe2\x80\x99s ability to respond effectively to a disruption in\nbusiness operations as a result of a disaster or other long-term crisis. Although SSA has\nperformed a Business Impact Analysis, its list of critical workloads is still being finalized,\nand recovery time objectives (RTOs) have not yet been established for each of the\ncritical workloads. Consequently, SSA has not established recovery priorities for all of\nits systems in the mainframe and distributed environments. Further, the plan for\nrecovering the critical workloads still needs to be fully tested. Finally, SSA has not fully\nupdated the contingency plans for the headquarters site or finalized and tested\ncontingency plans for non-headquarters sites.\n\nWhile deficiencies in a contingency plan does not directly affect performance measures,\na risk still exists. A failure to respond effectively to a disruption through proven recovery\nprocedures could affect both the quality and quantity of data used in the accumulation\nand calculation of all performance measures.\n\nRecommendations:\nAs previously stated in the FY 1999 Accountability Report, we recommend that SSA:\n\n\xe2\x80\xa2\t Finalize the list of critical SSA workloads and fully test the plans for recovering each\n   workload;\n\n\xe2\x80\xa2    Establish RTOs for each critical workload;\n\n\xe2\x80\xa2\t Establish recovery priorities for all systems and applications (mainframe and\n   distributed);\n\n\xe2\x80\xa2    Update contingency plans for headquarters;\n\n\xe2\x80\xa2\t Finalize and test SSA\xe2\x80\x99s ultimate strategy for implementing and maintaining alternate\n   processing facilities; and\n\n\xe2\x80\xa2 Finalize and test contingency plans for non-headquarters sites.\n\n\n\n\n                                            10\n\n\x0cOTHER MATTERS\n\nAs part of this evaluation, PwC was tasked to evaluate the appropriateness of the\nperformance measures. In this section, we discuss the relevance of each performance\nmeasure with respect to GPRA and look to the future by evaluating SSA\'s readiness to\nincorporate the final phases of GPRA into their processes.\n\n1.\t      Documents prepared for external evaluation of SSA performance could be\n         improved to clearly explain the intended uses of the performance measures\n         to comply with future GPRA requirements\n\nThe United States General Accounting Office (GAO) encourages agencies to "include\nexplanatory information on the goals and measures." 1 In addition, best practices in\nperformance measurement dictate that agencies should provide external stakeholders\nwith such information. Furthermore, it can be expected that agencies will be required to\nprovide such information in the near future as GPRA continues to evolve.\n\nOver the past few years, SSA has continuously improved their performance planning\ndocuments by adding in-depth discussions on their strategies and key performance\nindicators. With respect to the performance metrics studied as part of this evaluation,\nhowever, the 1997-2002 Strategic Plan, the FY 2000 Performance Plan, and the FY\n1998 Annual Accountability Report do not clearly explain the intended purpose of each\nperformance measure with respect to evaluating overall SSA performance. In each\ncase, the documents clearly associate each metric with the strategic goals and\nobjectives that they support, but they do not explain to the external stakeholder exactly\nhow they are applied.\n\nDescribing the use of these performance measures would help to clarify the overall\nobjectives of the SSA strategic planning process and would clarify how the subject\nmetrics fit into that process.\n\nIn a July 1999 report2, the General Accounting Office (GAO) rated Fiscal Year 2000\nAnnual Performance Plans of all federal agencies in three key elements of \xe2\x80\x9cinformative\nperformance plans:\xe2\x80\x9d\n\n1. Clear pictures of intended performance\n2. Specific discussion of strategies and resources\n3. Confidence that performance information will be credible\n\nAlthough SSA was considered relatively strong as compared to most other agencies,\ntheir weakest ratings were received for the categories of "Degree of Confidence that\nPerformance Information will be Credible" and "Specificity of Strategic Resources." Our\nobservations were consistent with these findings (see Item #4 in previous section,\nResults of Engagement). However, if SSA develops clear and concise descriptions of\n1\n    GAO/GGD/AIMD-99-69, "Agency Performance Plans"\n2\n    GAO/GGD/AIMD-99-215, July 1999.\n\n\n                                          11\n\n\x0ceach performance measure\'s source and its intended strategic use, we believe they can\nbolster their future GAO ratings relative to informative performance plans.\n\n2.\t      The nine performance measures are not explicit performance budgeting\n         metrics, but are nonetheless appropriate internal performance indicators\n         and are useful to the SSA strategic planning process\n\nAn important intent of GPRA in the future is to facilitate performance budgeting, which\nwill allow Federal agencies to allocate resources in an effort to achieve "optimal" results.\nConsequently, agencies must develop measures that will help external stakeholders\nsuch as Congress to match resources to performance.\n\nUnder GPRA requirements, an agency must rely on two distinctive types of measures:\n\n         Outcome performance measures. These measures are intended to gauge the\n         effectiveness of the organization at fulfilling its strategic goals. Often, however,\n         these performance measures are not completely under the span of influence of\n         the organization. Consequently, while they represent good measures of the\n         accomplishment of a strategic goal, they do not reflect the success of an\n         organization in contributing to the achievement of the goal.\n\n         Workload and output performance measures.3 These measures are used to\n         gauge the level of effort required for a given activity, including characteristics\n         established as performance standards (e.g., Percent of OASI claims processed\n         by the time the first regular payment is due or within 14 days from effective filing\n         date, if later).\n\nWhile outcome performance measures are often more accurate indicators of the\nsuccess or failure of an organization\'s strategic goals, it is workload and output\nmeasures that fall under an organization\'s span of influence. Consequently, workload\nand output measures are more often used in external reporting to support organizational\nactivities. However, these workload and output performance measures are seldom\nrelated to either outcomes or amount of resources spent processing the workload or\ncreating the output. As a result, they represent little value to external stakeholders\nmaking resource allocation decisions.\n\nIf viewed in isolation, none of the nine performance measures considered on this project\nwould suffice as explicit performance measures for external stakeholders to use in a\nresource allocation or performance budgeting oversight role. However, that is not to\nsay that these measures are not of value. In fact, they indicate to external stakeholders,\nincluding congressional appropriators, customers, policy makers, and the general\npublic, how effective SSA is at fulfilling its overall mission. More importantly, they serve\na useful internal purpose in the SSA performance planning process. For example,\nmany of the measures we analyzed (Performance Measures 2, 4, 5, 6, and 7) are\n\n3\n  The SSA documentation refers to such metrics strictly as outputs, but that is merely a matter of semantics. In\neither case, they refer to a level of effort for a given activity.\n\n\n                                                       12\n\n\x0cworkload counts, which are important for individual program managers when making\nmanagement decisions.\n\n        Performance Measure #7. The SSA FY 1998 Accountability Report references\n        this metric as "Other Workloads" supporting the strategic objective "to position\n        the Agency\'s resources and processes to meet emerging workloads." This, in\n        turn, supports the strategic goal "to make SSA program management the best in\n        business, with zero tolerance for fraud and abuse." These uses are reiterated in\n        Appendix 1 of the FY 2000 Annual Performance Plan.\n\n        This measure is not particularly valuable to an external stakeholder because it\n        does not relate resource utilization to outputs or outcomes. However, it is clearly\n        not intended for that purpose because the SSA documentation identifies it as an\n        output measure for a workload and they do help to indicate the overall\n        effectiveness of SSA at fulfilling its mission.\n\n        Performance Measure #8. The SSA Strategic Plan (1997 to 2002), the FY\n        1998 Accountability Report, and the FY 2000 Annual Performance Plan all\n        consistently position this metric in support of the objective "to maintain through\n        2002, current levels of accuracy and timeliness in posting earnings data to\n        individual\'s earnings records." This objective, in turn, supports the strategic goal\n        "to make SSA program management the best in business, with zero tolerance for\n        fraud and abuse."\n\n        This measure, the Percent of earnings posted to individuals\xe2\x80\x99 records by\n        September 30, is not particularly valuable to an external stakeholder for\n        performance budgeting because it does not relate resource utilization to an\n        output or outcome. This measure may be useful to SSA as an internal indicator,\n        particularly with respect to the strategic objectives it supports. Furthermore, the\n        documentation clearly states that the objective is to maintain timeliness in posting\n        earnings records. Nevertheless, the external stakeholder is not told about the\n        significance of the September 30 date and how it relates SSA to being the best in\n        business.\n\n\nTo SSA\'s credit, they have developed a number of useful performance measures in the\nspirit of GPRA and have discussed them in proper detail in the FY 2000 Performance\nPlan. 4 As we have shown, the nine performance measures covered by this project can\nnot be considered as true high-level, external measures. Nevertheless, they do appear\nto have specific uses, as discussed above. Again, SSA would benefit the external\nstakeholder by clarifying exactly what these intended uses are (see \xe2\x80\x9cOther Matters\xe2\x80\x9d item\n#1).\n\n\n4\n In earlier documents, such as the FY 1998 Accountability Report, SSA presented the performance measures in a\nmanner that seemed to give each one equal weight. In the more recent documents, however, SSA has placed greater\nemphasis on the more high-level, outcome oriented performance measures.\n\n\n                                                    13\n\n\x0c3.\t   SSA is positioned to be a leading performance-based budgeting\n      organization and to meet the future requirements of GPRA\n\nSince 1988, SSA has an established history of strategic planning, using specific\nperformance measurements. Building on this history, SSA implemented GPRA\'s\nrequirements for strategic planning, performance planning, and performance reporting.\nOne of GPRA\'s ultimate objectives is to facilitate performance budgeting, which will\nallow Federal agencies to allocate resources in an effort to achieve "optimal" results.\nConsequently, to help external stakeholders such as Congress match resources to\nperformance, agencies must eventually develop performance measures that are linked\nto resource requirements.\n\nPerformance budgeting is the analysis of performance measurement data for the\npurpose of allocating budgetary resources more effectively. Specifically, performance\nbudgeting for GPRA is complete upon the submission of multiple resource-to-result\nscenarios within one annual budget.\n\nThe final stage of GPRA implementation is the successful piloting of performance\nbudgeting at no less than five federal agencies. Currently, few federal agencies are\ncapable of acting as a performance budgeting pilot and this final stage of GPRA has\nconsequently been delayed. However, the Office of Management and Budget (OMB)\nhas recently designated SSA as one of the government-wide performance budgeting\npilot projects. Within SSA, the Continuing Disability Reviews program is the specific\nactivity covered by this designation. OMB considers the performance budgeting pilot\nprojects to be an opportunity to examine the feasibility and potential application of\nseveral approaches to performance budgeting. In this context, OMB intends to use\nperformance and resource data provided by the pilots during development of the FY\n2001 budget and to report to congress on the results of the pilots no later than March\n31, 2001, as required by GPRA. With proper planning and preparation, SSA is uniquely\npositioned to be one of the first truly successful performance-based budgeting\norganizations.\n\nIn anticipation of the next phase of GPRA, we believe SSA needs to develop a suitable\nperformance budgetary model by combining cost accounting concepts with performance\nmeasurement methodology. A high-level description of one possible model is listed\nbelow:\n\n\xe2\x80\xa2 SSA defines a set of reporting segments that represent all of their work.\n\xe2\x80\xa2 SSA maps their performance measurements to these specific reporting segments.\n\xe2\x80\xa2\t SSA calculates person-hours associated with these reporting segments, so that all\n   personnel within SSA are accounted for in the model.\n\xe2\x80\xa2\t SSA builds the model around this data to allow for current resource to\n   workload/result analysis and future resource to workload/result forecasting.\n\nSSA could build this model at any level of detail: by resource type, resource location, or\nany other classification methodology. By linking resources to performance goals at this\n\n\n                                          14\n\n\x0clevel of detail, SSA would thus satisfy the annual performance-planning requirement for\nspecificity of strategies and resources, while striving to become the first agency to\nsuccessfully implement performance budgeting.\n\n\n\n\n                                         15\n\n\x0c                           APPENDICES\n\n\nAPPENDIX A \xe2\x80\x93 Background\n\nAPPENDIX B \xe2\x80\x93 Scope and Methodology\n\nAPPENDIX C \xe2\x80\x93 Agency Comments\n\nAPPENDIX D \xe2\x80\x93 Performance Measure Summary Sheets\n\nAPPENDIX E \xe2\x80\x93 Performance Measure Process Maps\n\n\x0c                                                                            Appendix A\n\n\n                             BACKGROUND\n\n\nGovernment Performance and Results Act\n\nThe Government Performance and Results Act (GPRA) was enacted to increase\naccountability in the Federal agencies. Prior to GPRA, Federal agencies lacked well-\ndefined program goals and adequate feedback regarding program performance. This\nhindered Federal agencies in their efforts to increase program efficiency and\neffectiveness, and prevented them from being accountable. Furthermore, this lack of\naccountability on the part of the Federal managers prevented Congress from making\ninformed budgetary decisions. In order to increase accountability, GPRA required\nFederal agencies to develop 5-year strategic plans, annual performance plans, and\nannual performance reports.\n\n Strategic plans define an agency\'s mission in terms of their major functions and\noperations. The agency\'s goals and objectives, and how they will be achieved by the\nagency, must be included in their strategic plan. The strategic plan also describes the\nquantifiable performance measures to be used by the agency, and how they relate to\nthe agency\'s goals and objectives.\n\nAnnual performance plans establish objective, quantifiable, and measurable\nperformance goals for an agency. These plans also describe the operational processes\nand resources necessary to meet the performance goals, establish performance\nindicators to measure the relevant outcomes, and provide a basis for comparing the\noutcomes with the performance goals. The annual performance plans also provide a\nmeans to validate and verify the measured outcomes.\n\nAnnual performance reports compare the actual program performance achieved with\nthe performance goals for each performance indicator defined in the agency\'s annual\nperformance plan. These reports contain the agency\'s evaluation of their performance\nplan relative to the performance achieved during the fiscal year. If performance goals\nhave not been met, the agency must include an explanation, as well as a plan for\nachieving the performance goals in the future. Alternatively, if the agency believes the\ngoals are impractical, they would include their rationale and recommended alternatives\nin the annual performance report.\n\nSSA\'s Performance Measures\n\nThe Social Security Administration (SSA) defined five strategic goals in it\'s FY 1998-\n2002 strategic plan, Keeping the Promises:\n\n\n\n\n                                           A-1\n\n\x0c1.\t Promote valued, strong, and responsive social security programs and conduct\n    effective policy development, research, and program evaluation\n2. Deliver customer-responsive, world-class service\n3.\t Make SSA program management the best in the business, with zero tolerance for\n    fraud and abuse\n4. Be an employer that values and invests in each employee\n5. Strengthen public understanding of the social security programs\n\nFor each strategic goal, SSA\'s strategic plan also defined specific objectives to achieve\neach of the goals.\n\nSSA\'s FY98 annual GPRA performance report, published as part of their FY98\nAccountability Report, includes actual performance data and goals for 57 performance\nmeasures. PricewaterhouseCoopers was engaged to evaluate nine specific\nperformance indicators found in SSA\'s FY98 Accountability Report. The performance\nindicators (or performance measures, as they are referred to in the Accountability\nReport) are as follows:\n\n1.\t Percent of OASI claims processed by the time the first regular payment is due or\n    within 14 days from effective filing date, if later\n2. OASI claims processed\n3. Percent of initial SSI aged claims processed within 14 days of filing\n4. SSI aged claims processed\n5. Representative payee actions\n6. SSN requests processed\n7. Annual earnings items\n8. Percent of earnings posted to individuals\xe2\x80\x99 records by September 30\n9. Percent of individuals issued SSA-Initiated PEBES as required by law\n\nDuring testing, it was noted that the nine performance measures could be defined by six\ndistinct processes. The systematic flow of information for three of the measures was\nalmost identical to the flow of information for three other measures. Furthermore, these\ngroupings match those that the OIG has selected for generating their upcoming reports.\nThe six processes are as follows:\n\n1.    RSI claims (performance measures #1 and #2)\n2.    SSI aged claims (performance measures #3 and #4)\n3.    Representative payee actions (performance measure #5)\n4.    SSN requests processed (performance measure #6)\n5.    Annual earnings items (performance measures #7 and #8)\n6.\t   Percent of individuals issued SSA-Initiated PEBES as required by law (performance\n      measure #9)\n\nThis report represents our understanding and evaluation of the annual earnings items\nprocess.\n\n\n\n\n                                           A-2\n\n\x0cThe posted earnings process encompasses performance measures #7 and #8.\nPerformance measure #7, annual earnings items, totals the number of annual earnings\nitems posted to individuals\' during the current tax year. The objective of the measure is\nto assist SSA in positioning their resources and processes to meet emerging workloads.\nThis objective relates to SSA\'s third strategic goal, to "make SSA program management\nthe best in the business, with zero tolerance for fraud and abuse". This measure is also\nused in the calculation of performance measure #8 below.\n\nThis performance measure is presented as an estimated workload count, and includes\nevery claim that is completely processed during the current tax year (TY) The tax year\nbegins in February of the current fiscal year, and ends in the February of the following\nfiscal year. For FY98, the TY began on the week ending February 20, 1998, and ended\n52 weeks later Tax years begin on the first date an individual may send in their earnings\ninformation in one fiscal year, and end on the first day individuals can submit their\nearnings information for the following fiscal year. The count does not include any\npending items. As the performance measure information is accumulated prior to the\nend of this calculated year, the total amount for the year is estimated, and this\nestimation is used as the performance measure. The actual amount is included in the\nfollowing annual performance report. The performance measure includes annual\ncounts for information obtained from current FICA W2s, Medicare for Qualified\nGovernment Employee W2s, and Non-FICA W2s. The FY98 performance goal was\n253,000,000 annual earnings items posted, and SSA reported the performance result\nas 266,011,984 annual earnings items posted.\n\nPerformance measure #8, percent of earnings posted to individuals\xe2\x80\x99 records by\nSeptember 30, determines how effectively SSA posts individuals\' earnings to their\nrecords. The objective is to maintain, through 2002, current levels of accuracy and\ntimeliness in posting earnings data to individuals\xe2\x80\x99 earnings records. This objective\nrelates to SSA\'s third strategic goal, to "make SSA program management the best in the\nbusiness, with zero tolerance for fraud and abuse".\n\nThis performance measure is presented as a percentage. The numerator is defined as\nthe total number of individuals\' earnings items posted, less self-employment earnings\nitems posted, from the beginning of the TY through September 30 of the TY. The\ndenominator is defined as the estimate of total posted annual earnings for the entire TY\n(estimation generated by Office of Information Management and Office of Systems\nRequirements). Once the actual amount is determined in the following year, the\nperformance measure is adjusted accordingly. The FY98 performance goal was 98\npercent, and SSA reported the performance result as 97.7 percent.\n\nPerformance measures #7 and #8 are obtained from the Posted Earnings Process. The\ndata flow is depicted in Figure 5, and the underlying process is shown in greater detail\nin Appendix E.\n\n\n\n\n                                           A-3\n\n\x0c                                        Posted Earnings Process\n\n        W2 & W3     National Computer      Formatted               Master Earnings\n                                                            ERMS                        EPOXY\n      Information         Center            Records                  File (MEF)\n\n\n\n\n                                                                                     Accountability\n                                                                                        Report\n\n\n\n\n                                                       Figure 5\n\nThe Earnings Record Maintenance System (ERMS) is the major programmatic system\nused to post earnings. Employers send either paper or magnetic media W-2 and W-3\ninformation to SSA. Conversely, self-employed individuals send their tax returns to the\nIRS and they transfer it to SSA via a direct connection. In either case, once the raw\ndata is balanced, it is sent to File Control at the National Computer Center (NCC) and\nsubsequently written into commonly formatted records. After performing additional\nbalancing, validation and edit checks, ERMS posts each individual\'s earnings to the\nMaster Earnings File (MEF).\n\nThe Office of System Design and Development (OSDD) obtains performance measure\n#7, The Total Number of Annual Earnings Items Posted, from EPOXY, a system\ndesigned to provide management information from ERMS. This number is initially\nreported as an estimate, and is revised the following year.\n\nThe Office of System Design and Development (OSDD) obtains performance measure\n#8, The Percentage of Earnings Posted to Individuals Records by September 30th, as\nfollows: The numerator, the number of earnings posted by September 30, is obtained\nfrom EPOXY. OSDD subsequently obtains the estimated number of earnings posted\nfor a year from Office of Research Evaluation and Statistics (ORES), and correct this\nestimate with data from Office of Systems Requirements (OSR). This is the\ndenominator. PM #8 is then computed by dividing the numerator over the denominator.\n\nOSDD provides Office of Financial Policy (OFPO) with both performance measures for\ninclusion in the Accountability Report.\n\n\n\n\n                                                         A-4\n\n\x0c                                                                             Appendix B\n\n\n               SCOPE AND METHODOLOGY\n\n\nThe SSA OIG contracted PricewaterhouseCoopers to evaluate nine of SSA\'s FY98\nperformance indicators established to comply with GPRA. This report reflects our\nunderstanding and evaluation of the annual earnings items process, which includes\nperformance measures #7 (Annual earnings items) and #8 (Percent of earnings posted\nto individuals\' records by September 30). Testing was performed from June 9, 1999\nthrough October 1, 1999, as follows:\n\n1.\t Gain an understanding and document the sources from which data is collected to\n    report on the specified performance measures;\n2.\t Identify and test critical controls (both EDP and manual) of systems from which the\n    specified performance data is generated;\n3.\t Test the accuracy of the underlying data for each of the specified performance\n    measures;\n4. Recalculate each specific measure to ascertain its mathematical accuracy; and\n5.\t Evaluate the impact of any relevant findings from prior and current audits with\n    respect to SSA\'s ability to meet performance measure objectives; and\n6.\t Identify findings relative to the above procedures and make suggestions for\n    improvement.\n\nAs a result of our reliance on prior and current SSA audits, our report contains the\nresults of internal control testing and system control deficiencies.\n\nLimitations\nOur engagement was limited to testing at SSA headquarter. Furthermore, when\nrecalculating the specific performance measures, we used FY98 data except when SSA\nwas unable to provide all the documentation necessary to fully evaluate the FY98\nperformance measure amounts reported in the Accountability Report. In those cases,\nFY99 data was evaluated.\n\nThese procedures were performed in accordance with the AICPA\'s Statement on\nStandards for Consulting Services, and is consistent with Government Auditing\nStandards (Yellow Book, 1994 version).\n\n\n1.\t    Gain an understanding and document the sources from which data is\n       collected to report on the specified performance measures\n\nWe obtained an understanding of the underlying processes and operating procedures\nsurrounding the generation of performance measures through interviews and meetings\nwith the appropriate SSA personnel and by reviewing the following documentation:\n\n\n                                           B-1\n\n\x0ci Policies and procedures manual for procedures surrounding the processing,\n  accumulating, and reporting of the data for the nine performance measures;\ni PwC system walk-through descriptions;\ni SSA-provided system descriptions;\ni Internal or external reports on the nine performance measures (including OIG, GAO,\n  etc.); and,\ni Review of any of the nine performance measures performed in conjunction with prior\n  financial audits by PricewaterhouseCoopers.\n\n\n2.      Identify and test critical controls (both EDP and manual) of systems from\n        which the specified performance data is generated\n\nBased on the understanding we obtained above in Methodology #1, we identified key\ncontrols for the nine performance measures. For each of the nine performance\nmeasures, the controls surrounding the following were tested (Note: in cases where\nPricewaterhouseCoopers tested key controls as part of prior financial audits, findings\nwere updated, and testing was not reperformed):\n\nPerformance Measure #7: Annual earnings items\n\n\xe2\x80\xa2    Applicable application controls\n\xe2\x80\xa2    Applicable general computer controls\n\xe2\x80\xa2    Implementation of established tactical plan addressing the suspense file and\n     reconciliation issues\n\xe2\x80\xa2    Procedures for changing the status of processed batches of data from "hold" to\n     "verified"\n\xe2\x80\xa2    Current procedural and systems documentation for CAS\n\nPerformance Measure #8: Percent of earnings posted to individuals\xe2\x80\x99 records by\nSeptember 30\n\n\xe2\x80\xa2    Applicable application controls\n\xe2\x80\xa2    Applicable general computer controls\n\xe2\x80\xa2    Implementation of established tactical plan addressing the suspense file and\n     reconciliation issues\n\xe2\x80\xa2    Procedures for changing the status of processed batches of data from "hold" to\n     "verified"\n\xe2\x80\xa2    Current procedural and systems documentation for CAS\n\nAll Performance Measures\n\n\xe2\x80\xa2    Formation of specific systems requirements for different major development projects,\n     routine maintenance, and cyclical changes\n\xe2\x80\xa2    Information protection control structure (system security)\n\n\n\n                                           B-2\n\x0c\xe2\x80\xa2    SSA\'s systemic contingency plan\n\xe2\x80\xa2    Documentation of program changes evidencing user approval and testing\n\xe2\x80\xa2    SSA\'s System Security Handbook\n\n\n3.      Test the accuracy of the underlying data for each of the specified\n        performance measures\n\nBased on the understanding we obtained above in Methodology #1, we identified key\nfiles, databases, and reports for the nine performance measures. To ensure data\navailability and to evaluate the data, Computer Assisted Audit Techniques (CAATs)\ntesting was performed for each of the nine performance measures as follows:\n\nPerformance Measure #7: Annual earnings items\n\n\xe2\x80\xa2    Ensured online central office Master Earnings File database fields were valid; and\n\xe2\x80\xa2    Replicated processed earnings items reported on Epoxy Accounting Statistics\n     Report (Based upon sampling).\n\nPerformance Measure #8: Percent of earnings posted to individuals\xe2\x80\x99 records by\nSeptember 30\n\n\xe2\x80\xa2    Ensured online central office Master Earnings File database fields were valid; and\n\xe2\x80\xa2    Replicated processed earnings items reported on Epoxy Accounting Statistics\n     Report (Based upon sampling).\n\n\n4.      Recalculate each specific measure to ascertain its mathematical accuracy\n\nBased on the understanding we obtained above in Methodology #1, we requested and\nreviewed documentation to ensure the mathematical accuracy of the nine performance\nmeasures as follows:\n\nPerformance Measure #7: Annual earnings items\n\n\xe2\x80\xa2    Traced performance measure values per the FY98 Accountability Report to the\n     values per the CAS Report;\n\xe2\x80\xa2    Traced the performance measure values per the CAS Report to the performance\n     measure values per the Epoxy Accounting Statistics Report; and\n\xe2\x80\xa2    Traced the performance measure values per the Epoxy Accounting Statistics Report\n     to the performance measure values in ERMS.\n\n\n\n\n                                            B-3\n\x0cPerformance Measure #8: Percent of earnings posted to individuals\xe2\x80\x99 records by\nSeptember 30\n\n\xe2\x80\xa2    Traced performance measure values per the FY98 Accountability Report to the\n     values per the CAS Report;\n\xe2\x80\xa2    Traced the performance measure values per the CAS Report to the performance\n     measure values per the Epoxy Accounting Statistics Report;\n\xe2\x80\xa2    Traced the performance measure values per the Epoxy Accounting Statistics Report\n     to the performance measure values in ERMS; and\n\xe2\x80\xa2    Reperformed and verified calculation output on AWR spreadsheets.\n\n\n5.      Provide OIG management with a written report identifying findings relative\n        to the above procedures, and with suggestions for improvement\n\nBased upon the evaluation performed, as outlined in the four above methodologies,\nPricewaterhouseCoopers has prepared a written report detailing the internal control\ndeficiencies in SSA\'s performance measurement systems, as well as inaccuracies in\nSSA data used to report on the nine selected performance measures.\nPricewaterhouseCoopers has also provided recommendations to address the system\ndeficiencies and data inaccuracies noted during the performance of the agreed upon\nprocedures.\n\n\n6.      Evaluate the impact of any relevant findings from prior and current audits\n        with respect to SSA\'s ability to meet performance measure objectives\n\n\nPricewaterhouseCoopers has noted five relevant findings from prior and current audits\nthat may impact SSA\'s ability to meet performance measure objectives. All findings\nwere noted in our FY99 financial audit. The relevant findings impact all performance\nmeasures, and are as follows:\n\n\xe2\x80\xa2    SSA has a number of data integrity deficiencies\n\xe2\x80\xa2    SSA\'s system environment has security deficiencies\n\xe2\x80\xa2    CAS procedural and systems documentation have not been updated\n\xe2\x80\xa2    SSA has systems design and documentation deficiencies\n\xe2\x80\xa2    SSA has a number of deficiencies in their systems contingency plan\n\n\n\n\n                                          B-4\n\x0c                                                                          Appendix C\n\n                      AGENCY COMMENTS\n\nJanuary 28, 2000\n\n\nJames G. Huse, Jr.\nInspector General\n\nWilliam A. Halter\nDeputy Commissioner\n\n\nOffice of the Inspector General (OIG) Draft Report, "OIG Performance Measure Review:\nSummary of PricewaterhouseCoopers (PwC) LLP Review of SSA\xe2\x80\x99s Performance Data\xe2\x80\x9d\n\nWe appreciate the opportunity to comment on the draft summary report. We also\nappreciate the OIG/PwC acknowledgement that SSA has developed a number of useful\nperformance measures in the spirit of the Government Performance and Results Act\n(GPRA) and has discussed them in proper detail in the FY 2000 Performance Plan.\n\nFurther, we appreciate the report\xe2\x80\x99s stated intention to provide SSA with suggestions\nwhich may assist us in preparing for the final phases of GPRA. However, we believe\nthe report should more clearly state throughout that current GPRA requirements were\nnot in effect during FY 1998, the year for which the data were examined, and that it\nwould therefore be inappropriate to extrapolate the findings to SSA\xe2\x80\x99s implementation of\nGPRA for FY 1999 or FY 2000.\n\nThe GPRA statute requires that certain elements be included in annual performance\nplans and that other elements be included in annual performance reports. GPRA further\nrequires that agencies prepare annual performance plans that set out specific\nperformance goals for FYs beginning with 1999. It also requires that agencies report\nannually on performance compared to goals, with the first report due in March 2000, to\ncover FY 1999. As mentioned above, the requirements of GPRA, including a description\nof the means employed to verify and validate the measured values used to report on\nprogram performance, were not in effect for FY 1998. SSA\xe2\x80\x99s efforts in this area were\npreliminary, and have significantly evolved with our FY 1999 and FY 2000 GPRA\ndocuments.\n\nFor FY 1998, and as we were moving toward preparation of our first GPRA Strategic\nPlan and our Annual Performance Plan for FY 1999, SSA published a Business Plan.\nWe stated in our Business Plan that for FY 1998 we were including performance\n\n\n\n                                          C-1\n\x0cmeasures for which we had measurement systems in place and current performance\ninformation. We also included related output measures for several priority workloads.\n\nAlthough not a GPRA requirement, we also elected to report in our FY 1998\nAccountability Report on those FY 1998 goals which we decided to include in our FY\n1999 Annual Performance Plan. We did not however, meet all the requirements for an\nAnnual Performance Report in that document nor was it our intention to do so. We are\nconcerned that implicit in many of the report\xe2\x80\x99s recommendations is the erroneous\nconclusion that SSA should have complied, in 1998, with statutory requirements that\nwere not yet in effect. We believe that all GPRA requirements are met, as required by\nstatute, by our recently released FY 1999 GPRA Performance Report.\n\nFinally, as you know, 30 of the 40 recommendations contained in the subject audit\nreport are either exactly duplicative or very nearly duplicative of recommendations\ncontained in past financial statement audit reports. Since we are already taking\ncorrective actions for those that we accepted as valid, we will not be addressing the\nduplicate recommendations in this response. We will, of course, continue our efforts to\nimplement corrective actions, as appropriate, and to provide status reports until\ncompleted.\n\nAs you indicate, SSA is positioned to be a leading performance based budgeting\norganization and to meet the future requirements of GPRA. The Office of Management\nand Budget has designated SSA as a pilot project for performance budgeting. The\ncontinuing disability reviews program is the specific activity covered by this designation\nand the time period covered will be FY 2001. We anticipate that our participation will\nenrich the learning from the government-wide pilot with regard to the feasibility and\nimpacts of performance based budgeting.\n\nAttached are specific comments to the draft report. Staff questions may be referred to\nOdessa J. Woods on extension 50378.\n\n\n\nImprovement Area 1--SSA lacks sufficient performance measure process\ndocumentation and did not retain documents to support the FY 1998 amount.\n\nRecommendation 1\n\n1.     We recommend that SSA place ownership for the performance measure process\nand reporting within an organizational unit. Data ownership would still remain with the\nuser organizations. However, an organizational unit should be accountable for the\noverall performance measure processes and results. Their charter should include the\nfollowing responsibilities:\n\n\n\n\n                                           C-2\n\x0c\xe2\x80\xa2   Identify and document the processes surrounding the generation and accumulation\n    of performance measure values. This would establish a clear method for verifying\n    and validating the performance measures.\n\n\xe2\x80\xa2   Establish policies and procedures surrounding the retention of performance measure\n    documentation. The documentation retained should allow for the timely verification\n    of the performance measure values, and should be maintained for at least one year.\n\n\xe2\x80\xa2   As new systems are developed, evaluate their potential impact on the accumulation\n    of performance measure data. Systems with potential impact should be designed to\n    include the means of producing a verifiable audit trail to validate the performance\n    measure results as they are defined in the Accountability Report.\n\nResponse to Recommendation 1\n\nWe agree in concept with this recommendation. SSA\xe2\x80\x99s Office of Strategic Management\n(OSM) is responsible for coordinating the Agency\xe2\x80\x99s GPRA activities. In addition, we will\ncontinue to work to improve the development and retention of the kind of documentation\nneeded for external audits of our performance measures.\n\n\nImprovement Area 2--SSA has a number of data integrity deficiencies.\n\nRecommendations 2-10\n\nResponse to Recommendations 2 - 10\n\nThese recommendations are either a direct reprint of the recommendations contained in\nPricewaterhouseCoopers\' (PwC) FY 1998 Management Letter, Part 2 or a reiteration\ncontaining only minor editorial changes.\n\nRecommendation 2\n\nWe recommend the following:\n\n\xe2\x80\xa2   SSA should explore ways to expedite its efforts in approving and implementing the\n    established tactical plan addressing the suspense file and reconciliation issues\n    (ERMS)\n\nResponse to Recommendation 2\n\nWe agree and will explore ways to expedite implementation of the tactical plan item.\nHowever, dependencies on other issues and initiatives will impede upon expediting this\nparticular initiative.\n\n\n\n\n                                          C-3\n\x0cImprovement Area 3--SSA\'s system environment has security deficiencies.\n\nRecommendations 12-22\n\nResponse to Recommendations 12-22\n\nThese recommendations are direct reprints of findings and recommendations contained\nin PwC\xe2\x80\x99s FY 1999 report on management\'s assertion about the effectiveness of internal\ncontrol.\n\nRecommendation 12\n\nAs previously reported in the FY 1999 Accountability Report, we recommend that SSA\naccelerate and build on its progress to enhance information protection by further\nstrengthening its entity-wide security as it relates to implementation of physical and\ntechnical computer security mechanisms and controls throughout the organization. In\ngeneral, we recommend that SSA:\n\n\xe2\x80\xa2   Reevaluate its overall organization-wide security architecture;\n\nResponse to Recommendation 12\n\nSSA agrees with this recommendation and is initiating a full reassessment of its\norganization-wide security architecture to ensure that vulnerabilities, especially those\nintroduced by new technology, are being addressed. This strategic reassessment will\nallow SSA to identify any additional initiatives needed to upgrade its programs.\nEnhancements to the existing architecture resulting from this activity will be\nimplemented and communicated to all SSA components.\n\nRecommendation 13\n\n\xe2\x80\xa2   Reassess the security roles and responsibilities throughout the organization\xe2\x80\x99s central\n    and regional office components;\n\nResponse to Recommendation 13\n\nSSA agrees with this recommendation and is currently reassessing security roles and\nresponsibilities. Recently, SSA elevated the organizational structure of the entity for\ninformation systems security within the Office of Finance, Assessment and Management.\nAlso, within the Office of Operations, a higher level security oversight group was formed\nand there was a reassessment of regional security officer roles to emphasize the\nincreased importance of their roles.\n\n\n\n\n                                           C-4\n\x0cRecommendation 14\n\n\xe2\x80\xa2   Assure that the appropriate level of trained resources are in place to develop,\n    implement and monitor the SSA security program;\n\nResponse to Recommendation 14\n\nSSA agrees with this recommendation and has enhanced security training by directing\nadditional funds toward new security training courses for both Headquarters and regional\nsecurity staffs. In addition, the Office of Systems is taking steps to improve its security\nprogram by obtaining additional expertise via contractor services.\n\nThe additional training and the organizational refocusing discussed above will ensure the\nappropriate level of trained resources are in place to develop, implement and monitor the\nSSA security program.\n\nRecommendation 15\n\n\xe2\x80\xa2   Enhance and institutionalize an entity-wide security program that facilitates\n    strengthening of LAN and distributed systems\xe2\x80\x99 security;\n\nResponse to Recommendation 15\n\nSSA agrees with the recommendation and has been working diligently on improvements\nin this area. SSA will continue to enhance and institutionalize the entity-wide security\nprogram through a series of enhancements to the mainframe, LAN and distributive\nsystems. The enhancements will include: improved monitoring of access controls,\nparticularly in field activities; full implementation of the Enterprise Security Interface;\nadministrative monitoring and penetration testing.\n\nRecommendation 16\n\n\xe2\x80\xa2   Review and certify system access for all users;\n\nResponse to Recommendation 16\n\nSSA agrees with this recommendation and continues to make progress in this area. The\nOffice of Systems continues to work aggressively to adjust access rights under its\nStandardized System Profile Project.\n\nRecommendation 17\n\n\xe2\x80\xa2   Enhance procedures for removing system access when employees are transferred or\n    leave the agency;\n\n\n\n\n                                           C-5\n\x0cResponse to Recommendation 17\n\nSSA agrees with this recommendation and will continue to improve our procedures and\nthe comprehensive processes already in place for removing system access when\nemployees are transferred or leave the Agency.\n\nRecommendation 18\n\n\xe2\x80\xa2   Decrease vulnerabilities in the mainframe operating system configuration;\n\nResponse to Recommendation 18\n\nSSA agrees with this recommendation and will continue to evaluate our mainframe\noperating system configuration and initiate changes to protect against threats, both\ndeliberate and nonintentional.\n\nRecommendation 19\n\n\xe2\x80\xa2   Implement the mainframe monitoring process;\n\nResponse to Recommendation 19\n\nSSA agrees with this recommendation. As acknowledged earlier in the report, SSA has\nestablished the SMART Report, which is distributed to the security officers responsible for\nthe groups using the systems. While most users are in non-Headquarters offices, all\nusers, including those in central office, are tracked and monitored. Procedures have\nbeen distributed which focus the reviews on specific types of transaction scenarios,\nthereby making the SMART system a more useful security management and\nenforcement tool. We agree that additional enhancements for increased use of the report\ncan be made both in the field and in central office. We will continue to improve the use of\nthe report to monitor inappropriate access to SSA\'s systems.\n\nRecommendation 20\n\n\xe2\x80\xa2   Finalize accreditation and certification of systems;\n\nResponse to Recommendation 20\n\nSSA agrees with this recommendation and either certified or recertified all of SSA\'s\nsensitive systems in July 1999.\n\nRecommendation 21\n\n\xe2\x80\xa2   Develop and implement an ongoing entity-wide information security compliance\n    program; and\n\n\n\n                                             C-6\n\x0cResponse to Recommendation 21\n\nSSA agrees with this recommendation and has a number of existing and planned\nprograms to monitor compliance with security policies and procedures. In addition to\nautomated controls, SSA also monitors compliance through programmatic and systems\naudits, financial systems reviews, and other internal studies and reviews.\n\nSSA has make progress in developing the Comprehensive Integrity Review Process\n(CIRP) system that will consolidate integrity review functions into a single automated\nfacility where transactions will be screened against specific criteria. The criteria include\ncross-application criteria and can be changed to concentrate on emerging trends. SSA\nremains committed to ongoing enhancement and implementation of the CIRP system.\n\nRecommendation 22\n\n    \xe2\x80\xa2   Strengthen physical access controls at non-headquarters sites.\n\nResponse to Recommendation 22\n\nSSA agrees with this recommendation and is committed to strengthening security at\nnon-Headquarters sties. We are in the process of enhancing the badging procedures\nand policy enforcement in the regions and other major non-Headquarters facilities. In\naddition, the Agency, through its security tactical plan, has been working to increase\nphysical security at the National Computer Center (NCC) and SSA facilities around the\ncountry.\n\n\nImprovement Area 5--GPRA documents prepared for external evaluation of SSA\nperformance do not clearly indicate the sources of the performance measures.\n\nRecommendation 26\n\nWe recommend that SSA develop clear and concise descriptions of each performance\nmeasure\'s source.\n\nResponse to Recommendation 26\n\nWe agree that reporting documents prepared for public consumption should contain, in\nlay terms, clear descriptions of the sources of our performance measures. We will\nconsult with your office to determine where you believe this is not the case. In addition,\nwe would note that, our documents comply with the requirements of GPRA with regard\nto appropriate level of documentation of the sources for external audiences. The A-11\nguidance specifically recommends the following information on data sources:\n\n\xe2\x80\xa2   The current existence of relevant baseline data, including the time-span covered by\n    trend data;\n\n\n                                            C-7\n\x0c\xe2\x80\xa2   The expected use of existing agency systems in the collection and reporting of data;\n\xe2\x80\xa2   The source of the measured data;\n\xe2\x80\xa2   Any expected reliance on an external source(s) for data, and identification of the\n    source(s); and\n\xe2\x80\xa2   Any changes or improvements being made to existing data collection and reporting\n    systems or processes to modify, improve, or expand their capability.\n\nSSA\xe2\x80\x99s FY 2000 Annual Performance Plan meets all these requirements.\n\nWhere additional, technical detail describing underlying processes and programmatic\nsystems that produce the reported metrics are needed by OIG and GAO auditors, we\nwill continue to make this detail available.\n\n\nImprovement Area 6--SSA did not calculate the performance measure as it is\ndefined.\n\nPerformance Measure #8\xe2\x80\x94Percent of earnings posted to individuals\xe2\x80\x99 records by\nSeptember 30\n\nRecommendation 28\n\nWe recommend that SSA include the self-employment earnings in their calculation of\nperformance measure #8, as this calculation would more accurately reflect the objective\nof the measure. If this is not feasible, we recommend that SSA clarify the definition\ngiven for the performance measurement to include language stating that the total\nnumber of annual earnings items posted is reduced by the number of self-employment\nwages processed by the IRS. In addition, we recommend that SSA include a footnote\nin its Accountability Report to indicate that the percent of annual earnings posted by\nSeptember 30th performance measurement is calculated on total annual earnings items\nposted less self-employment wages processed by the IRS.\n\nResponse to Recommendation 28\n\nThis is duplicative of the recommendation made in the OIG report entitled,\n\xe2\x80\x9cPerformance Measurement Review: Survey of the Sources of the Social Security\nAdministration\xe2\x80\x99s Performance Measurement Data\xe2\x80\x9d (A-02-98-01004), which was issued\nin final on November 22, 1999.\n\nWe agree. Effective with our revised final fiscal year (FY) 2000 APP and in our FY 2001\nAPP, we have clarified that self-employment earnings are not included in the earnings\nmeasure.\n\nWe have made the following changes to the earnings process indicator:\n\n\n\n\n                                           C-8\n\x0cIndicator FROM:                           Indicator TO:\n\nPercent of earnings posted to             Percent of wages posted to individuals\'\nIndividuals\' records by September 30      records by September 30\n\nAlso, effective with our FY 2000 APP, we clearly stated in the definition of the indicator\nfor the percent of SSNs assigned via the Enumeration-at-Birth process and the time\nassociated with the delivery of the SSN card to the applicant.\n\nImprovement Area 8--The Cost Analysis System\'s (CAS) procedural and systems\ndocumentation have not been updated.\n\nRecommendation 31\n\nWe recommend that DCA explore alternatives for acquiring the resources needed to\nupdate the existing CAS procedural and systems documentation, and to obtain\nprocedural documentation for the replacement systems.\n\nResponse to Recommendation 31\n\nThis recommendation was included as a recommendation contained in PwC\xe2\x80\x99s FY 1998\nManagement Letter, Part 2.\n\nWe agree and will pursue alternatives for acquiring the resources needed to update\nCAS procedures, manuals, handbooks and documentation. SSA is also initiating an\neffort to design and implement an agency-wide managerial cost accountability process\nand system which will eventually subsume the functions of the CAS.\n\n\nImprovement Area 9--SSA has systems design and documentation deficiencies.\n\nResponse to Recommendations 32 - 34\n\nThese recommendations are equivalent to recommendations contained in PwC\xe2\x80\x99s\nFY 1998 Management Letter, Part 2.\n\nRecommendation 32\n\nWe recommend the following:\n\n\xe2\x80\xa2   SSA should complete implementation of it\'s Validation Transaction Tracking System\n    (VTTS) and continue with its plan to automate the process for submitting System\n    Release Certification (SRC) forms\n\n\n\n\n                                            C-9\n\x0cResponse to Recommendation 32\n\nWe agree and believe the first portion of this recommendation is complete. Systems\nbegan using VTTS in 1996 for selected validations. In October 1998, its use became\nmandatory for all validations. VTTS has been converted to SQL and is available for all\nsystems. Evaluation will continue to make it more useful and flexible.\n\nTarget dates for automating the SRC forms submission process are now in place.\nPrototype automated change control procedures are currently being tested and\nevaluated which will satisfy the second portion of this recommendation. We expect to\ncomplete evaluation of the prototype design by Spring 1999. (The prototype evaluation\nwas staged to include various life cycle development projects, e.g., new software\ndevelopment (online and batch), maintenance, cyclical projects.) We are currently\nsetting up the evaluation of a maintenance type project.\nUpon completion of the prototype evaluation, design changes resulting from the\nevaluation will be incorporated into the automated procedures, software changes to this\nprocess will be made, and we will then roll out the process on a project by project basis.\nWe expect to begin roll out by late Summer 1999.\n\nRecommendation 33\n\n\xe2\x80\xa2   SSA should complete implementation of Platinum\'s Process Engineering Tool (PET)\n    and institutionalize Carnegie Mellon\'s Software Engineering Institute\'s Capability\n    Maturity Model (CMM) methodology\n\nResponse to Recommendation 33\n\nWe agree but believe it is too early in the implementation process to provide a date for\ncomplete implementation.\n\nPresently, SET standards require documenting software changes. Nevertheless, we\nare developing a more robust mechanism to support SSA\xe2\x80\x99s Information Technology (IT)\ninfrastructure.\n\nWe are committed to software process improvement using Carnegie Mellon\xe2\x80\x99s Capability\nMaturity Model (CMM). We have also procured the PLATINUM Technology, Inc.\xe2\x80\x99s\nProcess Engineering Tool (PET). When fully implemented, PET will replace and expand\nupon the foundation built by SET.\n\nWith PET integrated within our CMM approach, SSA is building the foundation for a\ncomprehensive software process improvement infrastructure that goes well beyond the\nobjectives of SET. This infrastructure will create an environment that encourages,\nsupports and provides assurance that we are continuously making improvements in the\nquality of software, productivity of the software development staff, and timeliness of\nsoftware delivery. This will be done by improving project management skills and\n\n\n\n\n                                           C-10\n\x0capproaches; defining IT Processes based on SSA and industry best practices;\nsupporting the use of metrics; and continuously improving IT processes.\n\nThree CMM pilot projects are well underway and using SSA developed documented\nprocedures required for compliance with CMM Level 2 Key Process Areas (KPAs).\nKPAs indicate where an organization should focus to improve its software process and\nidentify the issues that must be addressed to achieve the next maturity level. The KPAs\nat Level 2 focus on the software project\xe2\x80\x99s concerns related to establishing basic project\nmanagement controls. These KPAs are:\n\n\xe2\x80\xa2   Requirements management\n\xe2\x80\xa2   Software project planning\n\xe2\x80\xa2   Software project tracking and oversight\n\xe2\x80\xa2   Software subcontract management\n\xe2\x80\xa2   Software quality assurance\n\xe2\x80\xa2   Software configuration management\n\nProcesses for all of these KPAs have been developed for iterative lifecycle projects and\nare available to the pilot project teams over the Web and in the PET tool. DCS is in the\nprocess of identifying additional similar \xe2\x80\x9crollout\xe2\x80\x9d projects to begin in 1999, which will use\nthese processes to achieve CMM Level 2 compliance. In addition, processes will be\ndeveloped and pilots initiated in 1999 for the following types of project:\n\n\xe2\x80\xa2   Programmatic CICS and Batch\n\xe2\x80\xa2   Administrative Development\n\xe2\x80\xa2   Maintenance without established baselines\n\xe2\x80\xa2   Legislative and Notices\n\nThese processes will be developed using the PET tool and its rich repository of best\npractices and process techniques as the delivery mechanism for CMM. It will be\navailable to the projects over the WEB.\n\nRecommendation 34\n\n\xe2\x80\xa2   SSA should update its System Security Handbook (Chapter 10 on Systems Access\n    Security) to address all of the acceptable forms for granting access to SSA\xe2\x80\x99s\n    computer systems and data\n\nResponse to Recommendation 34\n\nWe agree. Chapter 10 of the its System Security Handbook lists the SSA-120 as the\nonly security form acceptable. There may be other non-security forms being used for\nnon-security purposes, but they are not appropriately included in the SSH.\n\n\n\n\n                                            C-11\n\x0cImprovement Area 10--SSA has a number of deficiencies in their systems\ncontingency plan.\n\nResponse to Recommendations 35 \xe2\x80\x93 40\n\nThese recommendations are direct reprints of recommendations contained in PwC\xe2\x80\x99s\nFY 1999 report on management\'s assertion about the effectiveness of internal control.\n\nRecommendation 35\n\nAs previously stated in the FY 1999 Accountability Report, we recommend that SSA:\n\n\xe2\x80\xa2   Finalize the list of critical SSA workloads and fully test the plans for recovering each\n    workload;\n\nResponse to Recommendation 35\n\nSSA agrees with this recommendation. SSA recently reevaluated and confirmed its\ncritical workloads. Testing that will determine recoverability of all identified critical\nworkloads is scheduled for July 2000.\n\nRecommendation 36\n\n\xe2\x80\xa2   Establish RTOs for each critical workload;\n\nResponse to Recommendation 36\n\nSSA agrees with this recommendation. It is SSA\'s goal to provide users with a fully\nintegrated set of software to process each critical workload as rapidly as possible. As\npart of our July 2000 test, we plan to assess and determine realistic timeframes and\nsequences for restoring critical workloads. These objectives will be incorporated into the\nnext iteration of the Disaster Recovery Plan (DRP). Subsequent DRP iterations will\ninclude timeframes and other supporting information.\n\nRecommendation 37\n\n\xe2\x80\xa2   Establish recovery priorities for all systems and applications (mainframe and\n    distributed);\n\nResponse to Recommendation 37\n\nSSA agrees with this recommendation and continues to work to establish recovery\npriorities for all mainframe and distributed systems and applications. DRP identifies the\nrecovery sequence of all mainframe workloads. We plan to determine realistic\ntimeframes for reestablishing access to these workloads. In addition, SSA will work to\nfurther define the recovery of the distributed workloads.\n\n\n                                           C-12\n\x0cRecommendation 38\n\n\xe2\x80\xa2   Update contingency plans for headquarters;\n\nResponse to Recommendation 38\n\nSSA agrees with this recommendation. In compliance with Presidential Decision\nDirective Number 67, Enduring Constitutional Government and Continuity of Operations\nPlan, SSA has convened an agencywide workgroup to develop an infrastructure for\ncontingency planning. This includes defining organizational roles and responsibilities,\nessential operations and staffing, training, maintenance, etc. The actions recommended\nby the workgroup and approved by SSA management will be incorporated in to the\nAgency Contingency plan.\n\nRecommendation 39\n\n\xe2\x80\xa2   Finalize and test SSA\xe2\x80\x99s ultimate strategy for implementing and maintaining alternate\n    processing facilities; and\n\nResponse to Recommendation 39\n\nSSA agrees with this recommendation. Our current IAA with GSA provides SSA with a\nlong-term, alternate facility supplied through a GSA contract. These provisions will be\nimplemented and provide SSA access to the site for 1 year should a catastrophic event\nleave the NCC uninhabitable for longer than 6 weeks. SSA annually tests the use of\nalternate facilities when conducting its disaster recovery test of NCC operations. The\nextent of these tests is limited by test time constraints, the smaller configuration used for\ntesting, availability of personnel and other such factors.\n\nOver the years, SSA has gained significant experience in installing and running its\nsystems on a wide variety of hardware during disaster recovery tests and benchmarking\nnew computing platforms. We believe this experience has resulted in the development of\nreliable procedures that allow SSA to bring up its systems at any site. This, of course,\ndoes not remove SSA\'s burden of verifying that secondary sites are stocked, as indicated,\nby the vendor. We will evaluate the benefits of establishing orientation visits at the\nsecondary sites.\n\nRecommendation 40\n\n\xe2\x80\xa2   Finalize and test contingency plans for non-headquarters sites.\n\nResponse to Recommendation 40\n\nSSA agrees with this recommendation and is in the process of reviewing and updating all\nof the Security Action Plans (SAP) that are in place in its non-Headquarters facilities. The\nArea Directors will review and test the SAPs as they visit each site during the course of\n\n\n                                            C-13\n\x0cthe year. The Agency also conducts field site visits to assess the security that is in place\nin our offices. In the course of these visits, staff will analyze the plans for effectiveness\nand verity that employees are familiar with their content and application.\n\nWe also offer the following comments:\n\nImprovement Area 2\nOther Matters\n\n1. Documents prepared for external evaluation of SSA performance could be improved\nto clearly explain the intended uses of the performance measures to comply with future\nGPRA requirements.\n\nAgency Comment\n\nIn response to the cited General Accounting Office recommendations, SSA is\nexpanding the explanation of the goals and measures and how they contribute to\nevaluating overall SSA performance in the FY 2001 Performance Plan due to Congress\nin February 2000.\n\n2. The nine performance measures are not explicit performance budgeting metrics, but\nare nonetheless appropriate internal performance indicators and are useful to the SSA-\nwide strategic planning process.\n\nAgency Comment\n\nThe statements in this section should be modified to recognize that stakeholders not\nonly include Congressional appropriators, but also customers, policy makers and the\ngeneral public who are looking at the overall effectiveness of the Agency in fulfilling its\nmission. GPRA prescribes that outcome measures will be used for this purpose.\n\n3. SSA is positioned to be a leading performance-based budgeting organization and to\nmeet the future requirements of GPRA.\n\nAgency Comment\n\nWe appreciate the confidence expressed by the OIG in SSA readiness for performance\nbudgeting. The Office of Management and Budget (OMB) has designated SSA as one\nof the government-wide performance budgeting pilot projects provided for in GPRA.\nWithin SSA, the Continuing Disability Reviews program is the specific activity covered\nby this designation. OMB considers the performance budgeting pilot projects to be an\nopportunity to examine the feasibility and potential application of several approaches to\nperformance budgeting. In this context, OMB intends to use performance and resource\ndata provided by the pilots during development of the FY 2001 budget and to report to\n\n\n\n\n                                            C-14\n\x0cCongress on the results of the pilots no later than March 31, 2001, as required by\nGPRA.\n\nAppendix A, Background, GPRA\nThis section should state clearly that the requirements of GPRA for Agency\nperformance plans and Agency performance reports were not in effect until FY 1999. It\nshould also acknowledge that although the report covers FY 1998 performance\nmeasures, the GPRA requirements, including descriptions of the means employed to\nverify and validate the measured values used to report on program performance, were\nnot in effect at that time.\n\nAppendix A, SSA\xe2\x80\x99s Performance Measures\nThe last paragraph should read \xe2\x80\x9cFY 1997-2002 strategic plan, \xe2\x80\x9cKeeping the Promise.\xe2\x80\x9d\n\n\n\n\n                                          C-15\n\x0c                                                                                                              Appendix D\n\n                      Performance Measure Summary Sheets\n\nName of Measure                                   Measure Type          Strategic Goal/Objective\n\n7) Annual earnings items                          Workload              Goal: To make SSA Program management the best in\n                                                                        business, with zero tolerance for fraud and abuse.\n                                                                        Objective: To positioning the Agency\'s resources and\n                                                                        processes to meet emerging workloads.\nDefinition                                                                                      Purpose\nA workload measure that accounts for the total number of items, including Current FICA W2s,   To monitor SSA service\nMedicare for Qualified Government Employee W2s, and Non-FICA W2s, posted to SSA records by    programs in order to improve\nSeptember 30.                                                                                 practice and to determine\n                                                                                              annual earnings workload\n                                                                                              counts in order to accurately\n                                                                                              secure budgetary\n                                                                                              requirements. Also used in the\n                                                                                              calculation of measure titled:\n                                                                                              Percent of earnings posted to\n                                                                                              individuals\xe2\x80\x99 records by\n                                                                                              September 30.\nHow Computed                                      Data Source            Data Availability    Data Quality\n\nSum of Current FICA W2s, Medicare for Qualified   EPOXY Accounting       Adequate             Adequate\nGovernment Employee W2s, and Non-FICA W2s         Statistics\nposted by the end of the fiscal year (September\n30).\n\n\n\n\n                                                             D-1\n\x0cExplanatory Information                                                                              Report Frequency\n\nThe timeframe used to account for total number of annual earnings items (posted to records) runs     Quarterly\nfor twelve months beginning in February and ending in February of the next year.\nTarget Goal                                         Division                   Designated Staff Members\n\n243,100,000 items posted                            Office of Finance,         Gerry Glaser\n                                                    Assessment and             Mildred Camponeschi\n                                                    Management/Office of\n                                                    Financial Policy and\n                                                    Operations\nEDP AUDITOR Testing and Results\n\nEDP Auditor testing was performed to ensure controls were in existence and operating effectively within the following processes:\n\xe2\x80\xa2 Applicable application controls\n\xe2\x80\xa2 Applicable general computer controls\n\xe2\x80\xa2 Implementation of established tactical plan addressing the suspense file and reconciliation issues\n\xe2\x80\xa2 Procedures for changing the status of processed batches of data from "hold" to "verified"\n\xe2\x80\xa2 Current procedural and systems documentation for CAS\n\xe2\x80\xa2 Formation of specific systems requirements for different major development projects, routine maintenance, and cyclical changes\n\xe2\x80\xa2 Information protection control structure (system security)\n\xe2\x80\xa2 SSA\'s systemic contingency plan\n\xe2\x80\xa2 Full documentation of program changes evidencing user approval and testing\n\xe2\x80\xa2 SSA\'s System Security Handbook\n\nSee results of engagement entitled "SSA has a number of data integrity deficiencies", " SSA\'s system environment has security\ndeficiencies," " CAS systems and procedural documentation have not been updated," "SSA has systems design and documentation\ndeficiencies," "SSA has a number of deficiencies in their systems contingency plan."\nCAATs Testing and Results\n\n\xe2\x80\xa2   Ensured online central office Master Earnings File database fields were valid; and\n\xe2\x80\xa2   Replicated processed earnings items reported on Epoxy Accounting Statistics Report (Based upon sampling).\n\nSee results of engagement entitled "SSA has a number of data integrity deficiencies."\n\n\n                                                                D-2\n\x0cProcess Improvement Testing and Results\n\nProcess Improvement testing was performed to ensure data availability and verify its accuracy within the following areas:\n\xe2\x80\xa2 Traced performance measure values per the FY98 Accountability Report to the values per the CAS Report;\n\xe2\x80\xa2 Traced performance measure values per the CAS Report to Epoxy Accounting Statistics Report; and\n\xe2\x80\xa2 Trace performance measure values per the Epoxy Accounting Statistics Report to the performance measure values in ERMS.\n\nSee results of testing entitled "SSA lacks sufficient performance measure process documentation, and does not retain documents to\nsupport the FY98 amounts," and " GPRA documents prepared for external evaluation of SSA performance do not clearly indicate the\nsources of the performance measures."\n\n\n\n\n                                                              D-3\n\x0cName of Measure                                      Measure Type              Strategic Goal/Objective\n\n8) Percent of earnings posted to individuals\xe2\x80\x99        Percentage                Goal: To make SSA Program management the best in\nrecords by September 30.                                                       business, with zero tolerance for fraud and abuse.\n                                                                               Objective: To maintain, through 2002, current levels of\n                                                                               accuracy and timeliness in posting earnings data to\n                                                                               individuals\xe2\x80\x99 earnings records.\nDefinition                                                                                             Purpose\nThe relationship between the total number of earnings posted for the current tax year (TY) and an     To monitor the progress of the\nestimated amount of earnings.                                                                         earnings postings practice\n                                                                                                      during the year.\nHow Computed                                         Data Source                Data Availability     Data Quality\n\nThe fiscal year actual percentage is the number of EPOXY                        Adequate              Adequate\nearnings items posted through September 30, less ERMS\nself-employment earnings, for that TY (see\nmeasure titled: Total number of annual earnings\nitems posted to records), divided by the TY\nestimate of total posted annual earnings items\ngenerated by Office of Information Management\nand Office of Systems Requirements.\nExplanatory Information                                                                               Report Frequency\n\nThe timeframe used to account for total number of annual earnings items posted to records (tax        Quarterly\nyear) runs for twelve months beginning in February and ending in February of the next year. For\nthe FY98 performance measures, the tax year began the week ending February 20, 1998. This\ntimeframe precludes the use of an actual value in the calculation of the Percent of earnings posted\nto individuals\xe2\x80\x99 records by September 30 in the FY98 Accountability Report because it comes out in\nNovember, so an estimated value is used. The estimate number is generated by ORS staff, from\nthe following sources: the President\xe2\x80\x99s budget (published annually in February and revised annually\nin July as part of the mid-session review), prior year actual numbers, and historical data.\n\n\n\n\n                                                                  D-4\n\x0cTarget Goal                                         Division                   Designated Staff Members:\n\n98 percent                                          Office of Finance,         Gerry Glaser\n                                                    Assessment and             Mildred Camponeschi\n                                                    Management/Office of\n                                                    Financial Policy and\n                                                    Operations\nEDP AUDITOR Testing and Results\n\nEDP Auditor testing was performed to ensure controls were in existence and operating effectively within the following processes:\n\xe2\x80\xa2 Applicable application controls\n\xe2\x80\xa2 Applicable general computer controls\n\xe2\x80\xa2 Implementation of established tactical plan addressing the suspense file and reconciliation issues\n\xe2\x80\xa2 Procedures for changing the status of processed batches of data from "hold" to "verified"\n \xe2\x80\xa2 Current procedural and systems documentation for CAS\n\xe2\x80\xa2 Formation of specific systems requirements for different major development projects, routine maintenance, and cyclical changes\n\xe2\x80\xa2 Information protection control structure (system security)\n\xe2\x80\xa2 SSA\'s systemic contingency plan\n\xe2\x80\xa2 Full documentation of program changes evidencing user approval and testing\n \xe2\x80\xa2 SSA\'s System Security Handbook\n\nSee results of engagement entitled "SSA has a number of data integrity deficiencies", " SSA\'s system environment has security\ndeficiencies," "CAS procedural and systems documentation have not been updated," "SSA has systems design and documentation\ndeficiencies," "SSA has a number of deficiencies in their systems contingency plan."\nCAATs Testing and Results\n\n\xe2\x80\xa2   Ensured online central office Master Earnings File database fields were valid; and\n\xe2\x80\xa2   Replicated processed earnings items reported on Epoxy Accounting Statistics Report (Based upon sampling).\n\nSee results of engagement entitled "SSA has a number of data integrity deficiencies."\n\n\n\n\n                                                                D-5\n\x0cProcess Improvement Testing and Results\n\n\xe2\x80\xa2   Traced performance measure values per the FY 98 Accountability Report to the values per the CAS Report;\n\xe2\x80\xa2   Traced performance measure values per the CAS Report to the Epoxy Accounting Statistics Report;\n\xe2\x80\xa2   Traced performance measure values per the Epoxy Accounting Statistics Report to ERMS; and\n\xe2\x80\xa2   Reperformed and verified calculation output on AWR spreadsheets.\n\nSee results of testing entitled "SSA lacks sufficient performance measure process documentation, and does not retain documents to\nsupport the FY98 amounts," " GPRA documents prepared for external evaluation of SSA performance do not clearly indicate the\nsources of the performance measures," and "SSA did not calculate three of the performance measures as they are stated in their\nrespective definitions."\n\n\n\n\n                                                               D-6\n\x0c                             Appendix E\n\nPerformance Measure Process Maps\n\n\n\n\n               D-1\n\x0c                                                     Posted Earnings Process\n                            PM #7: Total Number of Annual Earnings Items Posted\n                PM #8: Percentage of Earnings Posted to Individual Records by September 30th\n\n                                           Employer\n                                       Information sent\n                                      directly to NCC via\n                                       Submitter Direct\n\n\n    Employer sends\n    W-2s & W-3s to                   WBDOC receives,\n         SSA                         edits, and balances\n                                        Paper W-2s\n\n\n\n                                                                                   File Control formats    File Control opens                            ERMS Merge\n                                      OCRO receives,                                                                                 SSN/Name\n                                                            Data is sent to File       raw data into         records on the                             process reunites\n                                      magnetic media                                                                             Validation Process\n                                                             Control at NCC          common format          Employer Control                             W-2 and W-3\n                                         W-2s                                                                                     with NUMIDENT\n                                                                                         records           Data Base (ECDB)                                information\n\n\n\n\nyed (SE)        IRS provides SE\n                                     SE Data is received\nsend tax         data to SSA via\n                                        and edited\n                direct connection\n\n\n\n\n                                      ERMS Dispatcher                               VA PrePosting\n            ERMS Edit/Balance                                  ERMS Data                                     ERMS (MEF              ERMS (MEF\n                                      process evaluates                             Process creates\nection       process performs                               Exchange process                                Update process)       Update process)\n                                       error codes and                             MEF File (EPDES)\n             edits, validations                             produces all major                               performs edit        posts Individual\'s\n                                       directs records                              & Suspense File\n               and balances                                 earnings interfaces                                checks             earnings to MEF\n                                         accordingly                                    (SCIR)\n\n\n\n\n                       OSDD Obtains                                                            Division of Cost     Values for PMs in\ntains No. of          Estimated No. of                                                         Analysis takes       CAS Code #0702\n                                                OSDD provides         PMs are processed\nosted by 9/30      Earnings Posted for year                                                   IWMS output and        are entered into             End\n                                                OFPO with PMs          through IWMS\nS via EPOXY        from ORES, & corrects                                                      enters values into      Accountability\n                       with OSR data                                                          CAS Code#0702              Report\n\n\n\n\n                                                                                                                                                        Sheet 1/1\n\n\n\n\n                                                                                   D-2\n\x0c'